CVE-2019-19340Initialization of a Resource with an Insecure Default in Redhat Ansible Tower

CWE-1188Initialization of a Resource with an Insecure Default5 documents5 sources
Severity
8.2HIGHNVD
EPSS
0.4%
top 38.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Redhat Ansible TowerRED HAT TowerRedhat Enterprise Linux
Timeline
PublishedDec 19
Latest updateMay 24

Description

A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2 and 3.5.x before 3.5.3, where enabling RabbitMQ manager by setting it with '-e rabbitmq_enable_manager=true' exposes the RabbitMQ management interface publicly, as expected. If the default admin user is still active, an attacker could guess the password and gain access to the system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:LExploitability: 3.9 | Impact: 4.2

Affected Packages2 packages

NVDredhat/ansible_tower3.5.03.5.3+1
CVEListV5red_hat/toweransible_tower versions 3.5.x before 3.5.4, ansible_tower versions 3.6.x before 3.6.2+1

Also affects: Enterprise Linux 7.0

🔴Vulnerability Details

2
GHSA
GHSA-7844-v3mr-c966: A flaw was found in Ansible Tower, versions 32022-05-24
CVEList
CVE-2019-19340: A flaw was found in Ansible Tower, versions 32019-12-19

📋Vendor Advisories

1
Red Hat
Tower: enabling RabbitMQ manager in the installer exposes the management interface publicly2019-12-14

💬Community

1
Bugzilla
CVE-2019-19340 Tower: enabling RabbitMQ manager in the installer exposes the management interface publicly2019-12-12
CVE-2019-19340 — Redhat Ansible Tower vulnerability | cvebase